eliminate insecureSkipTLSVerify=true in karmada

[chaosi-zju]

What would you like to be added:

insecureSkipTLSVerify=true means prohibit clientside from verifing the cert of serverside, this is an unsafe configuration, we can avoid unnecessary unsafe configurations.

• 1. remove insecureSkipTLSVerify in YAML artifacts used by deploy-karmada.sh. (verification method: exec hack/local-up-karmada.sh success) remove insecureSkipTLSVerify in local-up-karmada script #4026
• 2. remove insecureSkipTLSVerify in karmadactl init. (verification method: exec karmadactl init success). remove insecureSkipTLSVerify in karmadactl #4061
• 3. remove insecureSkipTLSVerify in helm chart. (verification method: exec helm install success). remove insecureSkipTLSVerify in helm chart #4033
• 4. remove insecureSkipTLSVerify in test code. remove insecureSkipTLSVerify in UT test #4062
• 5. remove insecureSkipTLSVerify in operator (verification method: install by operator success). remove insecureSkipTLSVerify in operator #4063
  6. remove insecureSkipTLSVerify in karmadactl register. （just one line, can not be deleted）

Why is this needed:

avoid unnecessary unsafe configurations.

[chaosi-zju]

/assign

[RainbowMango]

remove insecureSkipTLSVerify in karmadactl register. （just one line, can not be deleted）

I guess you mean this piece of code:
https://github.com/karmada-io/karmada/blob/f2c7d0b80614816879d9fe734b334602ac9850f5/pkg/karmadactl/register/register.go#L839C6-L839C6

Why can not be removed?

[chaosi-zju]

@RainbowMango yes, is this line：

karmada/pkg/karmadactl/register/register.go

Lines 835 to 848 in f2c7d0b

	// buildInsecureBootstrapKubeConfig makes a kubeconfig object that connects insecurely to the API Server for bootstrapping purposes
	func buildInsecureBootstrapKubeConfig(endpoint, clustername string) *clientcmdapi.Config {
	controlPlaneEndpoint := fmt.Sprintf("https://%s", endpoint)
	bootstrapConfig := CreateBasic(controlPlaneEndpoint, clustername, BootstrapUserName, []byte{})
	bootstrapConfig.Clusters[clustername].InsecureSkipTLSVerify = true
	return bootstrapConfig
	}
	// buildSecureBootstrapKubeConfig makes a kubeconfig object that connects securely to the API Server for bootstrapping purposes (validating with the specified CA)
	func buildSecureBootstrapKubeConfig(endpoint string, caCert []byte, clustername string) *clientcmdapi.Config {
	controlPlaneEndpoint := fmt.Sprintf("https://%s", endpoint)
	bootstrapConfig := CreateBasic(controlPlaneEndpoint, clustername, BootstrapUserName, caCert)
	return bootstrapConfig
	}

The corresponding code are building kubeconfig for member cluster to access Karmada, including：

1、member cluster use token to get CA from karmada-apiserver (one-way authentication, a token and InsecureSkipTLSVerify flag in temporary kubeconfig is needed).

2、member cluster use Bootstrap Token to access karmada-apiserver to apply for assignment of certificate (two-way authentication, Bootstrap Token and CA in temporary kubeconfig is needed).

3、 write certificate and CA into kubeconfig, then member cluster can access karmada-apiserver by this kubeconfig in following requests.

if remove bootstrapConfig.Clusters[clustername].InsecureSkipTLSVerify = true this line, then above step 1 will failed.

[RainbowMango]

Thanks for the clarification.
/close
as all tasks have been resolved.

[karmada-bot]

@RainbowMango: Closing this issue.

In response to this:

Thanks for the clarification.
/close
as all tasks has been resolved.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.